Wouldn’t Signature-less KEM be a better choice for TLS, than its current typical approach of six signatures, at least some of which involve both signing and verifying dynamically (per connection)?
--
Regards,
Uri
There are two ways to design a system. One is to make is so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
- C. A. R. Hoare
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/C75C0CDC-AC5E-4338-B13C-68E5FB91218C%40westerbaan.name.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/C75C0CDC-AC5E-4338-B13C-68E5FB91218C%40westerbaan.name.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/ABB0F22B-5356-4C6E-B02A-A0046B73B32F%40ll.mit.edu.
On Oct 31, 2021, at 17:31, Bas Westerbaan <b...@westerbaan.name> wrote:
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/C850B55A-1F2B-4E3E-82F2-127BFD037B1C%40westerbaan.name.
On 31 Oct 2021, at 23:16, Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu> wrote:With KEMTLS each peer only needs to verify one signature (over static key/very). I daresay it’s tolerable.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/C936E4EE-C125-464F-B3EA-6333586322D3%40ll.mit.edu.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/20211101100803.1882488.qmail%40cr.yp.to.
Hi all,Possibly this is getting off-topic, but...I’m also hoping that the OCSP stapling can be replaced with CRLite eventually, where a compressed CRL is distributed through your favorite CDN, whether that’s Cloudflare or your ISP’s caches or whatever. Firefox has already deployed this, and I don’t see a good reason not to roll out CRLite or some variant of it to nearly every web transaction instead of OCSP stapling. OCSP (stapling) would then become the uncommon case.Basically you can replace the staples by consulting a ~1-2 MB compressed CRL on disk, plus ~10-20kB in updates on a typical day, depending on the exact strategy. Given the size of post-quantum signatures, this would be a big improvement over OCSP. Better data structures are now available since the original CRLite, which can further reduce file sizes and query times. The size will increase as the web grows, but it may also shrink as sites transition to shorter-lived certs, because it counts only unexpired revoked certs. It can balloon up to tens of megabytes for one update period if the web’s PKI explodes again, as it did with Heartbleed.Not that this solves the problem immediately, but at least we have a proven and deployed way forward.
> 3. Because of the lead time, we shouldn’t wait too long to adopt PQ
> signatures on the web. It would be ideal if these six signatures and
> two public keys would fit together within 9kB.
How many of the offline signatures could realistically be stateful
hash-based signatures?
With DNS Queries over HTTPS (DoH) it has become/will be a bit easier to introduce new types of data in DNS. An application can chose to use a DNS resolver that supports the DNS extention it needs.
of 15 "DNS security mess" talks on https://protect2.fireeye.com/v1/url?k=856275f9-daf94cf9-85623562-86fc6812c361-57fb931fa58b1d8e&q=1&e=04db4b17-e7a1-458e-a0a9-52e6f9fe2caf&u=https%3A%2F%2Fcr.yp.to%2Ftalks.html.) So it's
circular to refer to DNSSEC as an argument that something doesn't work.
---Dan
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://protect2.fireeye.com/v1/url?k=46e1c674-197aff74-46e186ef-86fc6812c361-169decb381e1a1d0&q=1&e=04db4b17-e7a1-458e-a0a9-52e6f9fe2caf&u=https%3A%2F%2Fgroups.google.com%2Fa%2Flist.nist.gov%2Fd%2Fmsgid%2Fpqc-forum%2F20211111195711.581964.qmail%2540cr.yp.to.
Indeed.
But the panel discussion from NISTS 3rd PQ Conference
https://www.nist.gov/video/third-pqc-standardization-conference-session-v-applications (13:40– 14:20) talks about some scalability concerns with DoH/TCP/TLS for some DNS Operators.
From: 'John Mattsson' via pqc-forum <pqc-...@list.nist.gov>
Sent: Friday, November 12, 2021 9:06 AM
To: pqc-...@list.nist.gov
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/HE1PR0701MB3050CE791389D2F7F01ABBD389959%40HE1PR0701MB3050.eurprd07.prod.outlook.com.